Palo Alto Updates Issue on Multi VSYS system

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
L3 Networker

Palo Alto Updates Issue on Multi VSYS system

Hi All,

 

Hoping an answer can be provided to this multi vsys Palo Alto I am deploying.

 

I enabled the operational status of one of the virtual firewalls I am providing making it fully internet facing with Globalprotect operating on the outside interface. This is operating without issue.

 

When I enabled this VSYS to an operational status I had to make changes to the inside routing to get all the BGP sessions established - it was left in a test state by a predecessor - but this is all working well.

 

What seems to have happened is the software and dynamic updates have stopped updating. I have checked from CLI and from the MGT interface I have internet connectivity and it is routing via the working VSYS without issue. I have also confirmed that from CLI I can see the MGT interface from the internal and it routes as expected.

 

I can see the traffic going out to internet but the update times out and the log shows as application incomplete.

 

I have tried to set the update to use the VSYS outside address as the update path through the Service Route Configuration but this produces the same result. In the Service Route Configuration I have the option of Palo Alto Network Services (no Palo Alto Updates option) which I used.

 

Any ideas? The rule and NAT are there and being used, routing seems to be correct. Things like NTP and DNS are not reporting an issue.

 

Regards

 

Adrian

Tags (3)

Accepted Solutions
Highlighted
L7 Applicator

Do you have "Verify Update Server Identity" enabled and are you doing ssldecrypt?

 

you could try replacing the updates server with staticupdates.paloaltonetworks.com in case you're having issues connecting to the cloud instance

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L7 Applicator

Do you have "Verify Update Server Identity" enabled and are you doing ssldecrypt?

 

you could try replacing the updates server with staticupdates.paloaltonetworks.com in case you're having issues connecting to the cloud instance

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post

Highlighted
L3 Networker

I have verify Update Server Identity and currently not doing ssldecrypt.

 

Strangely, staticupdates.paloaltonetworks.com works. Any idea why the original would stop after making the new Vsys live? It originally went through a test Vsys and route before I made the change but this was 2 weeks ago.

 

Regards

 

Adrian

Highlighted
L7 Applicator

the original update server is cloud-based so the IP tends to skip around

there may be a routing/peering issue with the ip you're trying to reach via your new route

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L3 Networker

Thanks. I have escalated to our support people. All internet traffic works except to these particluar cloud servers. Hopefully they can help.

 

Regards

 

Adrian

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!